From f602bc621ab6ceba9f901cc992fda0eab764c57e Mon Sep 17 00:00:00 2001
From: Thibault Soubiran <soubi.thibault@gmail.com>
Date: Thu, 24 Aug 2023 14:02:23 +0200
Subject: [PATCH] feat: customize user paths default. Resolves: #689 (#692)

Signed-off-by: Thibault Soubiran <thibault.soubiran@protonmail.com>
---
 roles/os_hardening/README.md                 | 5 +++++
 roles/os_hardening/defaults/main.yml         | 1 +
 roles/os_hardening/tasks/minimize_access.yml | 7 +------
 3 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/roles/os_hardening/README.md b/roles/os_hardening/README.md
index 3cc9cbd0..04525d4d 100644
--- a/roles/os_hardening/README.md
+++ b/roles/os_hardening/README.md
@@ -290,6 +290,11 @@ To prevent some of the filesystems from being disabled, add them to the `os_file
   - Description: true if this is a desktop system, ie Xorg, KDE/GNOME/Unity/etc.
   - Type: bool
   - Required: no
+- `os_env_user_paths`
+  - Default: `[/usr/local/sbin, /usr/local/bin, /usr/sbin, /usr/bin, /sbin, /bin]`
+  - Description: Specify paths to the user's `PATH` variable.
+  - Type: list
+  - Required: no
 - `os_env_extra_user_paths`
   - Default: `"[]"`
   - Description: add additional paths to the user's `PATH` variable (default is empty).
diff --git a/roles/os_hardening/defaults/main.yml b/roles/os_hardening/defaults/main.yml
index 1ce0ac86..7430d806 100644
--- a/roles/os_hardening/defaults/main.yml
+++ b/roles/os_hardening/defaults/main.yml
@@ -1,5 +1,6 @@
 ---
 os_desktop_enable: false
+os_env_user_paths: [/usr/local/sbin, /usr/local/bin, /usr/sbin, /usr/bin, /sbin, /bin]
 os_env_extra_user_paths: []
 os_auth_pw_max_age: 60
 os_auth_pw_min_age: 7 # Discourage password cycling
diff --git a/roles/os_hardening/tasks/minimize_access.yml b/roles/os_hardening/tasks/minimize_access.yml
index a7083865..307a5b70 100644
--- a/roles/os_hardening/tasks/minimize_access.yml
+++ b/roles/os_hardening/tasks/minimize_access.yml
@@ -7,12 +7,7 @@
 - name: Find files with write-permissions for group # noqa command-instead-of-shell
   ansible.builtin.shell: find -L {{ item }} -perm /go+w -type f
   with_community.general.flattened:
-    - /usr/local/sbin
-    - /usr/local/bin
-    - /usr/sbin
-    - /usr/bin
-    - /sbin
-    - /bin
+    - "{{ os_env_user_paths }}"
     - "{{ os_env_extra_user_paths }}"
   register: minimize_access_directories
   ignore_errors: true